asked on

What to do with AD published certificates when decommissioning a CA?

Decommissioning a poorly maintained Windows 2003 Enterprise Root CA and its subordinate CA in preparation for replacing it with a brand new Windows 2008 AD CS based PKI. Over the years, the old subordinate CA issued quite a few certificates.. most are expired, the rest are easily identifiable.

Prepared to follow instructions in Microsoft KB889250 to remove the CA, but there is no mention of what to do about the certificates that were published into AD. E-mail admin mentioned that Exchange complains all the time about expired certs when rebuilding the GAL.. got to thinking maybe we need to manually purge those out of the directory too.

Any advice how to carry this out, or if it's even advisable?

Akhater

If you don't need the certificates that were published from this CA and haven't expired yet then I see no reason why keeping them published in AD, I know I have deleted certificates from AD from unused CA's many times never had an issue.

hope it helps

Paranormastic

When you revoke all of the certificates and publish the CRL, AD should no longer display them.

If there are just a few, you can remove them from AD manually if you really want to beforehand in AD Users & Computers if you View - Advanced then pull up the user accounts and view the certs tab.

dtadmin

ASKER

By what mechanism does a certificate get cleared out of the directory upon revocation? We've revoked all but a couple certificates that we know we need yet they all still appear to be published under the user accounts. I'm not sure where to start troubleshooting this.

ASKER CERTIFIED SOLUTION

Paranormastic

membership

This solution is only available to members.

To access this solution, you must be a member of Experts Exchange.

Start Free Trial